What Advanced Persistent Threats (APTs) Can Teach the ICS and SCADA Security Practitioner – Part 2

Share this

In last week's blog, Professor Paul Dorey recently presented a paper about the seven important lessons the IT world has learned in managing Advanced Persistent Threats (APTs). In this article, I will discuss lessons #2, #3 and #4, and how to apply these lessons to ICS and SCADA security.

APTs have been discussed in some depth in previous blogs, so if you aren’t familiar with the concept (or need a review) check out Part #1 of this series. If you want real world examples of APTs, especially ones that have impacted the energy and chemical industries, browse some of my previous blogs on Nitro, Night Dragon and Duqu.

Energy companies were targeted by recent known Advanced Persistent Threats such as Night Dragon and Duqu.

Professor Dorey’s talk discussed the seven advanced approaches that the best companies are using to deal with APTs. His Advanced Approach #1 involved setting what he called “‘Controls Coverage”. The objective is to focus protection efforts on your company’s most important assets, rather than using the shotgun approach of trying to protect everything equally.

Lesson #2: Focus on Detection, Not Protection

Advanced Approach #2 centers on “Control Focus”. If you are going to spend money on security controls, what types of controls are the most effective? Professor Dorey notes that Detective Controls (i.e. those technologies and processes that detect attacks) are more effective against modern cyber threats when compared to Preventative Controls like firewalls, data diodes and anti-virus software.

Now you might think that a person that designs and sells ICS/SCADA firewalls for a living (me) would be dead against Professor Dorey’s approach. I’m not. The fact is, after reviewing countless control systems and attacks against control systems, the industrial automation world is terrible at detecting anything unusual on their control network. Few companies can even discover when a contractor has attached an unauthorized laptop to their system, never mind detect a sophisticated, stealthy attack.

The old “security in the dark” approach has to end. SCADA and ICS engineers need to get a better handle on what sort of traffic is travelling over the control network. To address this, a major focus at Tofino Security in the past year is the addition of strong reporting technologies into the Tofino product line. For example, modules like the Secure Asset Management LSM are designed to detect and report if unexpected devices join your network.

Similarly Tofino’s deep packet inspection (DPI) modules for the Modbus and OPC protocols provide detailed reporting to 3rd party Security Incident and Event Monitoring (SIEM) systems. So if your read-only remote operator station suddenly starts to try to program a PLC, you can get an immediate alert that trouble is brewing in your control system. Expect to see more detection technologies from the Tofino Security team soon. It is something we strongly believe in.

Lesson #3: Move Your Perspective from Perimeter-based to Data-centric

The third lesson for successful APT containment is to change your security focus from controlling the perimeter to controlling specific collections of data, regardless of where they are in space and time. For example, if a financial company can ensure that customer credit card records are encrypted at all times (and the keys to decrypt the records are not leaked), then the loss of a laptop with these records is of limited importance.

Or take the case of Bradley Manning, the young US Army private that leaked thousands of classified documents to WikiLeaks. If these sensitive documents had been always encrypted and Bradley had only been able to view them with a controlled application at his desk, then his ability to share so many documents would have been limited. Instead, it is clear that the US Army’s security strategy was to leave them unencrypted, (or in a form that was easy to convert to an unencrypted form) and hope these documents never left the perimeter of the US military-base. Obviously, this “perimeter-focused” strategy failed badly.

At first glance, applying this lesson to ICS and SCADA systems appears to be difficult as data confidentiality is of far less importance to the control system. But substitute the word “process” or “asset” for the word “data”, and it makes sense. A “process-centric” or “asset-centric” approach to managing security means making sure that specific high value processes continue to function reliably regardless of what else is happening around them. The safety world, with standards like IEC61508 and IEC61511, has a long history of using this sort of approach.

Lesson #4: Why Log? Compliance versus Threat Detection

The final Advanced Approach lesson for today’s blog looks at the reason we log security events (assuming we log them at all). Too many of the sites I visit, especially sites trying to pass NERC-CIP audits, log only for compliance reasons. They generate massive log collections, but if anyone ever bothers to analyze the logs, it is only after something really bad has happened. By then it is too late.

Now effective threat detection doesn’t mean pouring over thousands of logs every day. It means optimizing what information you collect so that dangerous anomalies standout, rather than get buried in the noise.

Lessons #1 to #4 – A Realistic Unified Security Strategy

Look back at Lesson #1 – “Focus protection on your most important assets” and compare it with the three lessons from today. What you will notice is that these four lessons are highly related around the concept of focused effort. For example, effective threat detection is only possible if you focus your controls on detection and focus your coverage on what matters. Unfocused approaches to security that try to protect everything inside a perimeter are too complex and too expensive.

So think about what processes and assets you really want to protect in your SCADA or ICS system and start focusing on those. Think about what would indicate trouble in your system and focus on detecting that. Advance your security approach from scattered to focused and save time, money and effort. Most importantly, you might just save your company from the next APT.

Do you agree with a focused approach to industrial cyber security? Let me know your thoughts.